CVE-2018-1327 — Apache Struts REST Plugin can potentially allow a DoS attack

Description

The Apache Struts REST Plugin is using XStream library which is vulnerable and allow perform a DoS attack when using a malicious request with specially crafted XML payload. Upgrade to the Apache Struts version 2.5.16 and switch to an optional Jackson XML handler as described here http://struts.apache.org/plugins/rest/#custom-contenttypehandlers. Another option is to implement a custom XML handler based on the Jackson XML handler from the Apache Struts 2.5.16.

How to fix CVE-2018-1327

To remediate CVE-2018-1327, upgrade the affected package to a fixed version below.

—upgrade to 2.5.16 or later

Is CVE-2018-1327 being exploited?

Moderate — EPSS is 6.2%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

>= 2.1.1, < 2.5.16

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (12)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-1327
PATCHgithub.com/apache/struts
WEBcwiki.apache.org/confluence/display/WW/S2-056
WEBgithub.com/apache/struts/commit/4260bee634cb606be6071bce2383fddb510608aa